How a vulnerability disclosure policy lets hackers help you

In 2015, two US security researchers hacked a Chrysler Jeep as it sped down the highway, remotely sending commands to the dashboard through the car's entertainment system. They gained control of the steering, brakes, transmission, radio – even the windscreen wipers. Nobody was hurt; the researchers were merely demonstrating a security flaw to the slightly terrified Wired journalist behind the wheel. But their work led to the recall of 1.4 million Chrysler vehicles, and showed that the car industry needed to get serious about security flaws.

Roughly six months after the story was published, General Motors, in partnership with HackerOne, a bug bounty and disclosure portal provider, launched a vulnerability disclosure policy (VDP) in an effort to encourage ethical hackers to help them identify security flaws. “If you have information related to security vulnerabilities of General Motors products and services, we want to hear from you,” reads the page on HackerOne's platform. “Please submit a report in accordance with the guidelines below. We value the positive impact of your work and thank you in advance for your contribution.”

How common is a vulnerability disclosure policy (VDP)?

This open-door approach to ethical hacking is still far from the norm. HackerOne's 2018 Hacker Report, which surveyed 1,698 members of the hacking community, found that almost one in four ethical hackers have not reported a vulnerability because the company in question doesn't have a VDP. Those who'd tried to notify the company through other channels, such as email or social media, also claimed they were “frequently ignored or misunderstood”.

The situation is slowly improving: 72 percent of the respondents in the report said companies were becoming more open to receiving information on vulnerabilities. But 94 percent of the Forbes Global 2000 still haven't published a VDP – something they may come to regret.

To continue reading...

Unsupported browser

You're using a web browser that our registration forms don't support yet.